Re: Strangest thing I've ever seen: Manager doesn't like its allow clause.

Wed, 12 Nov 2025 09:04:45 -0800 

I wrote:
I've updated a customer box from 9.0.106 to 9.0.111, and I'm getting a weird error that's keeping Manager from coming up. 


11-Nov-2025 18:44:59.637 SEVERE [main] 
org.apache.catalina.valves.RemoteCIDRValve.setAllow 
127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|65.76.160.206|68.4.199.145: 
The address 
[127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|65.76.160.206|68.4.199.145] 
is not valid


On 11/12/25 7:16 AM, Christopher Schultz wrote:

Agreed: the port-matching uses regular expressions and is totally 
undocumented.


The CIRD format is normal except for the totally-weird port matching:

127.0.0.1/32;^1*


This would match any connection coming from localhost with a port number 
starting with a 1. I'm not sure why port-matching requires regular 
expressions, because you could just use multiple CIDR "patterns" each 
with a separate port number. I guess maybe for just numbers of explicit 
ports?



I think your allow expression should be something like 
“127.0.0.0/8,::1,0:0:0:0:0:0:0:1,65.76.160.206,68.4.199.145”. (The two 
IPv6 entries appear to be functionally identical, so one could likely 
be removed.)



Correct. Assuming you don't care about port numbers, just use a 
comma-separated list of CIDR addresses. Since you are using specific 
IPs, the /32 for IPv4 is implied and you can leave it out. If you want 
to make it SUPER CLEAR that the items are CIDR expressions, maybe you 
want to add the /32 (or /128) at the end.


This just keeps getting weirder.


I was mistaken about a nearly identical "allow" clause working on the 
Tomcat 9.0.111 server on our own box: it's throwing the same exception.



So I shut it down, and switched our box back to the 9.0.110 server, and 
manager comes up just fine.


The "straight-out-of-the-box" allow clause for the 110 manager is

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"


Hmm! The "straight-out-of-the-box" allow clause for the 111 manager is

allow="127.0.0.0/8,::1/128"



I think I see where the problem is, but what changed, and why, after all 
the years of the first syntax, do we have a completly different one?


--
JHHL


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to